Poco RAT
Poco RAT is a remote access trojan observed in Spanish-language phishing activity and associated with cyber espionage operations by Dark Caracal. Reporting cited in the source material states that Dark Caracal delivered Poco RAT via financial-themed phishing and used phishing emails with malicious PDF attachments and fileless malware techniques. The group has targeted government and private organizations across multiple countries, with reporting specifically highlighting Spanish-speaking enterprises in Latin America and broader intelligence-gathering activity aligned with Lebanese state interests. Additional reporting notes that Poco RAT was among malware families largely exclusive to Spanish-language phishing campaigns between May 2023 and May 2025, alongside 4Shared Loader, Sapphire RAT, Meduza, Metamorfo, and Horabot. High-confidence context therefore indicates Poco RAT is used as part of phishing-led intrusion activity, particularly in Spanish-language campaigns targeting Latin America, and has been linked to Dark Caracal espionage operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Prominent APTs, such as Dark Caracal, conducted cyber espionage and delivered the Poco RAT via financial-themed phishing.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueThreat actors typically rely on traditional initial access methods, such as phishing via email, SMS, and WhatsApp messages, impersonating financial institutions, and requesting invoices or payments.
Command and Control
1 techniqueTAG-144 (Blind Eagle) primarily targeted government entities in South American countries, notably Colombia, using TTPs such as spearphishing and remote access trojans (RATs)...
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan delivered through financial-themed phishing in cyber espionage activity.
Remote access trojan with espionage features (e.g., file upload, screenshots) used by Dark Caracal against Spanish-speaking enterprises in Latin America.
Remote Access Trojan (RAT) used by Dark Caracal for espionage, often delivered via phishing and fileless techniques.
Remote access trojan observed in Spanish-language phishing campaigns.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.